Project

General

Profile

Actions

Feature #4270

open

load rules from database

Added by Iain Watson-Smith almost 4 years ago. Updated 5 months ago.

Status:
New
Priority:
Normal
Target version:
Effort:
low
Difficulty:
low
Label:

Description

Suricata.yaml should have the option to supply a database connection string to the load a ruleset from a database. There are too many rules to be managed and searched from files alone, and searching, editing, creating new rules in files can be a nightmare. I'd use pythonids to parse a set of files in a directory, then keep the raw rule as a column in a database. At start time, suricata could optionally read this table and load the rules that are enabled / disabled from that table. You could optionally send data back to the database provided you've kept the sid column of any alert. Database table might look like this: | id | raw_rule | sid | message | comment | enabled | classtype | content | rev. Any feedback appreciated.

Actions

Also available in: Atom PDF